Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 22, 2021, 6:38 p.m.	March 22, 2021, 6:42 p.m.

Size	9.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`2151c4b970eff0071948dbbc19066aa4`
SHA256	`ab76e3ddfecc8c84fd2179bb40cbe1c535963154c3e6e144e000dd97c1abbc78`
CRC32	`1AF435DE`
ssdeep	`192:hJLUwuWWtqqKGCaGMSsCZssyPv0bQF2T:jLUHHEeCaLSsys172`
Yara	PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

cVI5v4hgahjKJBO4qaFks3SD.exe "C:\Users\test22\AppData\Local\Temp\cVI5v4hgahjKJBO4qaFks3SD.exe"
2952
- 4vAYzzZecewY7zkMr7EiwgUR.exe "C:\Users\test22\Documents\4vAYzzZecewY7zkMr7EiwgUR.exe"
  668
- qJJJ5PjC2OdKiUWQLp469ttl.exe "C:\Users\test22\Documents\qJJJ5PjC2OdKiUWQLp469ttl.exe"
  5860
- ScKRrxLE7CjrRCRzkCjU1Fnn.exe "C:\Users\test22\Documents\ScKRrxLE7CjrRCRzkCjU1Fnn.exe"
  7012
  - ScKRrxLE7CjrRCRzkCjU1Fnn.exe "C:\Users\test22\Documents\ScKRrxLE7CjrRCRzkCjU1Fnn.exe"
    6688
- 4DcEhngDii9jWa300VqydC7E.exe "C:\Users\test22\Documents\4DcEhngDii9jWa300VqydC7E.exe"
  7932
  - 4DcEhngDii9jWa300VqydC7E.exe "C:\Users\test22\Documents\4DcEhngDii9jWa300VqydC7E.exe"
    1432
- ygI0QLcrBImRDyNapFSUIXac.exe "C:\Users\test22\Documents\ygI0QLcrBImRDyNapFSUIXac.exe"
  7000
- g48buoQfafbTYKRsRvLFhkSV.exe "C:\Users\test22\Documents\g48buoQfafbTYKRsRvLFhkSV.exe"
  3944
- n0oSwoEaFqSuaqsUFmRSJHZJ.exe "C:\Users\test22\Documents\n0oSwoEaFqSuaqsUFmRSJHZJ.exe"
  7804
  - cmd.exe cmd.exe /c taskkill /f /im chrome.exe
    4428
    - taskkill.exe taskkill /f /im chrome.exe
      7120
  - xcopy.exe xcopy "C:\Users\test22\AppData\Local\Google\Chrome\User Data" "C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
    1240
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\test22\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
    3568
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\test22\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\test22\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb8,0xbc,0xc0,0x8c,0xc4,0x7fef23a6e00,0x7fef23a6e10,0x7fef23a6e20
      8164
- 1dQ3IWYgjVIIBuNVqOAUOdYX.exe "C:\Users\test22\Documents\1dQ3IWYgjVIIBuNVqOAUOdYX.exe"
  3004
- 8TQPHIQ9bFjdlAY5aKlWh2Xb.exe "C:\Users\test22\Documents\8TQPHIQ9bFjdlAY5aKlWh2Xb.exe"
  3292
- 8qwycjgOGj3uIj9CDxTRd249.exe "C:\Users\test22\Documents\8qwycjgOGj3uIj9CDxTRd249.exe"
  7824
- R9dJ2GRjtUDM4kOUAhgCSabA.exe "C:\Users\test22\Documents\R9dJ2GRjtUDM4kOUAhgCSabA.exe"
  1388

Name	Response	Post-Analysis Lookup
aretywer.xyz	A 45.144.30.78	45.144.30.78
pastebin.com	A 104.23.99.190 A 104.23.98.190	104.23.99.190
www.yzxjgr.com	A 103.155.92.70	103.155.92.70
iplogger.org	A 88.99.66.31	88.99.66.31
www.fjzbqb.com	A 188.225.87.175	188.225.87.175
msiamericas.com	A 141.136.39.190	141.136.39.190
www.fddnice.pw	A 103.155.92.58	103.155.92.58
d0wnl0ads.online
file.ekkggr3.com	A 104.21.66.169 A 172.67.162.110	172.67.162.110
digitalassets.ams3.digitaloceanspaces.com	A 5.101.110.225	5.101.110.225
whatitis.site	A 91.200.41.57 A 92.63.99.163	92.63.99.163
mytoolsprivacy.site	A 179.43.158.179	179.43.158.179
jg3.3uag.pw
www.cncode.pw	A 144.202.76.47	144.202.76.47
www.investinae.com	CNAME investinae.com A 108.167.143.77	108.167.143.77

IP Address	Status	Action
103.124.106.203	Active	Moloch
103.155.92.58	Active	Moloch
103.155.92.70	Active	Moloch
104.21.66.169	Active	Moloch
104.23.99.190	Active	Moloch
108.167.143.77	Active	Moloch
141.136.39.190	Active	Moloch
144.202.76.47	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
179.43.158.179	Active	Moloch
188.225.87.175	Active	Moloch
188.93.233.223	Active	Moloch
45.144.30.78	Active	Moloch
5.101.110.225	Active	Moloch
88.99.66.31	Active	Moloch
91.200.41.57	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49807 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49809 -> 104.23.99.190:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.102:55957 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.102:49821 -> 108.167.143.77:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49814 -> 5.101.110.225:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49815 -> 5.101.110.225:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 91.200.41.57:80 -> 192.168.56.102:49810	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.102:49812 -> 103.124.106.203:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.102:49813 -> 188.93.233.223:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 179.43.158.179:80 -> 192.168.56.102:49819	2014819	ET INFO Packed Executable Download	Misc activity
TCP 188.93.233.223:80 -> 192.168.56.102:49813	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 188.93.233.223:80 -> 192.168.56.102:49813	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 103.155.92.70:80 -> 192.168.56.102:49816	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 103.124.106.203:80 -> 192.168.56.102:49812	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 103.124.106.203:80 -> 192.168.56.102:49812	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49817 -> 141.136.39.190:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49817 -> 141.136.39.190:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49817 -> 141.136.39.190:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 179.43.158.179:80 -> 192.168.56.102:49819	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 91.200.41.57:80 -> 192.168.56.102:49810	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 91.200.41.57:80 -> 192.168.56.102:49810	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
UDP 192.168.56.102:51983 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.102:49839 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49837 -> 144.202.76.47:80	2016777	ET INFO HTTP Request to a *.pw domain	Potentially Bad Traffic
TCP 45.144.30.78:80 -> 192.168.56.102:49820	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.102:49840 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49846 -> 103.155.92.58:80	2016777	ET INFO HTTP Request to a *.pw domain	Potentially Bad Traffic
UDP 192.168.56.102:62262 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
TCP 141.136.39.190:443 -> 192.168.56.102:49817	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 141.136.39.190:443 -> 192.168.56.102:49817	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49807 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb
TLSv1 192.168.56.102:49809 104.23.99.190:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	ce:69:3b:0c:23:1f:bf:e1:a4:87:d2:44:26:54:a5:e4:bd:26:2f:7a
TLSv1 192.168.56.102:49839 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb
TLSv1 192.168.56.102:49840 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb

Queries for the computername (26 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 22, 2021, 6:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (26 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 22, 2021, 6:38 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:38 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:39 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:39 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:39 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:39 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:39 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:39 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:39 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:39 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:39 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:39 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:39 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:39 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:39 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:39 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:39 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:39 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:39 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:39 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:40 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:40 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:40 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:39 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:39 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:39 p.m.			0	0

Command line console output was observed (50 out of 900 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: ERROR: The process "chrome.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Browser console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\Module Info Cache console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs-journal console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-5F9FEA6D-37C.pma console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\6217\crl-set console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\6217\LICENSE console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\6217\manifest.fingerprint console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\6217\manifest.json console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\6217\_metadata\verified_contents.json console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\manifest.fingerprint console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\manifest.json console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_metadata\verified_contents.json console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\03019df3fd85a69a8ebd1facc6da9ba73e469774fe77f579fc5a08b8328c1d6b.sth console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\07b75c1be57d68fff1b0c61d2315c7bae6577c5794b76aeebc613a1a69d3a21c.sth console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\084114980071532c16190460bcfc47fdc2653afa292c72b37ff863ae29ccc9f0.sth console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\2245450759552456963fa12ff1f76d86e0232663adc04b7f5dc6835c6ee20f02.sth console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\293c519654c83965baaa50fc5807d4b76fbf587a2972dca4c30cf4e54547f478.sth console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\2979bef09e393921f056739f63a577e5be577d9c600af8f94d5d265c255dc784.sth console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\35cf191bbfb16c57bf0fad4c6d42cbbbb627202651ea3fe12aefa803c33bd64c.sth console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\41c8cab1df22464a10c6a13a0942875e4e318b1b03ebeb4bc768f090629606f6.sth console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\4494652eb0eeceafc44007d8a8fe28c0dae682bed8cb31b53fd33396b5b681a8.sth console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\46a555eb75fa912030b5a28969f4f37d112c4174befd49b885abf2fc70fe6d47.sth console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\51a3b0f5fd01799c566db837788f0ca47acc1b27cbf79e88429a0dfed48b05e5.sth console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\5581d4c2169036014aea0b9b573c53f0c0e43878702508172fa3aa1d0713d30c.sth console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\5614069a2fd7c2ecd3f5e1bd44b23ec74676b9bc99115cc0ef949855d689d0dd.sth console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\5cdc4392fee6ab4544b15e9ad456e61037fbd5fa47dca17394b25ee6f6c70eca.sth console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\5ea773f9df56c0e7b536487dd049e0327a919a0c84a112128418759681714558.sth console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\63f2dbcde83bcc2ccf0b728427576b33a48d61778fbd75a638b1c768544bd88d.sth console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\68f698f81f6482be3a8ceeb9281d4cfc71515d6793d444d10a67acbb4f4ffbc4.sth console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\6f5376ac31f03119d89900a45115ff77151c11d902c10029068db2089a37d913.sth console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\747eda8331ad331091219cce254f4270c2bffd5e422008c6373579e6107bcc56.sth console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\7a328c54d8b72db620ea38e0521ee98416703213854d3bd22bc13a57a352eb52.sth console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\7d3ef2f88fff88556824c2c0ca9e5289792bc50e78097f2e6a9768997e22f0d7.sth console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\8775bfe7597cf88c43995fbdf36eff568d475636ff4ab560c1b4eaff5ea0830f.sth console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\a4b90990b418581487bb13a2cc67700a3c359804f91bdfb8e377cd0ec80ddc10.sth console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\ac3b9aed7fa9674757159e6d7d575672f9d98100941e9bdeffeca1313b75782d.sth console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\adf7befa7cff10c88b9d3d9c1e3e186ab467295dcfb10c24ca858634ebdc828a.sth console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\b21e05cc8ba2cd8a204e8766f92bb98a2520676bdafa70e7b249532def8b905e.sth console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\b3737707e18450f86386d605a9dc11094a792db1670c0b87dcf0030e7936a59a.sth console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\bbd9dfbc1f8a71b593942397aa927b473857950aab52e81a909664368e1ed185.sth console_handle: 0x00000013	1	1
WriteConsoleW March 22, 2021, 6:39 p.m.	buffer: C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\c652a0ec48ceb3fcab170992c43a87413309e80065a26252401ba3362a17c565.sth console_handle: 0x00000013	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\86.0.4240.111\Locales
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 22, 2021, 6:38 p.m.		1	1	0

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ March 22, 2021, 6:39 p.m.	stacktrace: 0x2c8211f 0x2380a05 0x23802b6 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 68 64 b9 65 fc e8 bb 1b 01 00 8b 44 25 00 86 d2 exception.instruction: push 0xfc65b964 exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x2ce6108 registers.esp: 1637704 registers.edi: 4294967294 registers.eax: 1637736 registers.ebp: 1637816 registers.edx: 0 registers.ebx: 1 registers.esi: 11870288 registers.ecx: 1637816	1
__exception__ March 22, 2021, 6:39 p.m.	stacktrace: 0x2c9211f 0x2390a05 0x23902b6 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 68 64 b9 65 fc e8 bb 1b 01 00 8b 44 25 00 86 d2 exception.instruction: push 0xfc65b964 exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x2cf6108 registers.esp: 1637704 registers.edi: 4294967294 registers.eax: 1637736 registers.ebp: 1637816 registers.edx: 0 registers.ebx: 1 registers.esi: 15409232 registers.ecx: 1637816	1
__exception__ March 22, 2021, 6:40 p.m.	stacktrace: 0x180004 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 e4 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x180004 registers.r14: 277083000 registers.r15: 277196864 registers.rcx: 1392 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 277082256 registers.rsp: 277081976 registers.r11: 277085872 registers.r8: 1999536524 registers.r9: 0 registers.rdx: 1400 registers.r12: 277082616 registers.rbp: 277082112 registers.rdi: 277234112 registers.rax: 1572864 registers.r13: 64771296	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (7 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://whatitis.site/dlc/mixinte
suspicious_features	Connection to IP address	suspicious_request	GET http://103.124.106.203/cof4/inst.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://188.93.233.223/proxy1.exe
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.fjzbqb.com/Home/Index/lkdinl
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.org/1ixtu7
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.org/1iPtu7
suspicious_features	GET method with no useragent header	suspicious_request	GET https://pastebin.com/raw/mH2EJxkv

Performs some HTTP requests (16 events)

request	GET http://whatitis.site/dlc/mixinte
request	GET http://103.124.106.203/cof4/inst.exe
request	GET http://188.93.233.223/proxy1.exe
request	GET http://www.yzxjgr.com/askhelp28/askinstall28.exe
request	GET http://file.ekkggr3.com/iuww/jvppp.exe
request	GET http://mytoolsprivacy.site/downloads/privacytools3.exe
request	GET http://aretywer.xyz/Corepad092.exe
request	GET http://www.yzxjgr.com/askinstall28.exe
request	GET http://www.cncode.pw/
request	GET http://www.fddnice.pw/
request	POST http://www.fjzbqb.com/Home/Index/lkdinl
request	GET https://iplogger.org/1ixtu7
request	GET https://iplogger.org/1iPtu7
request	GET https://pastebin.com/raw/mH2EJxkv
request	GET https://iplogger.org/1hVa87
request	GET https://iplogger.org/1Gbzj7

Sends data using the HTTP POST Method (1 event)

request

POST http://www.fjzbqb.com/Home/Index/lkdinl

Resolves a suspicious Top Level Domain (TLD) (3 events)

domain	jg3.3uag.pw	description	Palau domain TLD
domain	www.fddnice.pw	description	Palau domain TLD
domain	www.cncode.pw	description	Palau domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 54 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 22, 2021, 6:38 p.m.	process_identifier: 2952 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00340000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:38 p.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00340000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:38 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:38 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:38 p.m.	process_identifier: 2952 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:38 p.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:38 p.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00472000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:38 p.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:38 p.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:38 p.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:38 p.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:38 p.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:38 p.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:38 p.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00496000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:38 p.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:38 p.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00497000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:38 p.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:38 p.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:38 p.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:38 p.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:38 p.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:38 p.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:38 p.m.	process_identifier: 2952 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef20000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:38 p.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:38 p.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:38 p.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef28000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:38 p.m.	process_identifier: 2952 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:38 p.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:38 p.m.	process_identifier: 668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 106496 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0092b000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:38 p.m.	process_identifier: 668 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 5860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 327680 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a0b000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 5860 region_size: 593920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00880000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 7012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 49152 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008cb000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 7012 region_size: 53248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00380000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 7932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 49152 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0031b000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 7932 region_size: 53248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 7000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 393216 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a0b000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 7000 region_size: 614400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00910000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 3944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 327680 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0097b000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 3944 region_size: 593920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00880000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 3004 region_size: 4677632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02380000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 3004 region_size: 4677632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02800000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 3004 region_size: 9498624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 3004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 3004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 663552 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c8e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 3292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 393216 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009eb000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 3292 region_size: 614400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00890000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 1388 region_size: 4677632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02390000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 1388 region_size: 4677632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02810000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 1388 region_size: 9498624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

cVI5v4hgahjKJBO4qaFks3SD.exe tried to sleep 151 seconds, actually delayed analysis time by 151 seconds

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process chrome.exe with pid 3568 crashed
__exception__ March 22, 2021, 6:40 p.m.	stacktrace: 0x180004 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 e4 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x180004 registers.r14: 277083000 registers.r15: 277196864 registers.rcx: 1392 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 277082256 registers.rsp: 277081976 registers.r11: 277085872 registers.r8: 1999536524 registers.r9: 0 registers.rdx: 1400 registers.r12: 277082616 registers.rbp: 277082112 registers.rdi: 277234112 registers.rax: 1572864 registers.r13: 64771296	1	0	0

Steals private information from local Internet browsers (50 out of 1486 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\UrlSoceng.store
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\101.3.34.11\manifest.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.19.0_0\_locales\pt_PT\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\LOG
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\a4b90990b418581487bb13a2cc67700a3c359804f91bdfb8e377cd0ec80ddc10.sth
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\fil
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\de
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\9.18.0\_metadata\verified_contents.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.com_0.indexeddb.leveldb\LOG.old
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\fil\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\c652a0ec48ceb3fcab170992c43a87413309e80065a26252401ba3362a17c565.sth
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fi\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\0.57.44.2492\_platform_specific\x86_64\pnacl_public_pnacl_json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\JumpListIconsRecentClosed\2ddb697a-187a-48b1-a298-fa511059acaa.tmp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.ldb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\es_419\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\5ea773f9df56c0e7b536487dd049e0327a919a0c84a112128418759681714558.sth
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\el\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOCK
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\ja
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\9.18.0\manifest.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOCK
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\fil
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\no
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\it\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\ca
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ca
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\_locales\el\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\tr\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\28da9c56fde4021055a681112c092453f74d8dd8\86db32f4-11be-40e4-83e8-b602b85321c3\a461a5be400b28fc_0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\cs
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\cs
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\pt_PT\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ru
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_metadata\computed_hashes.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\english_wikipedia.txt
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.19.0_0\_locales\en_GB
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\_metadata\computed_hashes.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.19.0_0\_locales\gu\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\da
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\86.247.200\em004_64.dll
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.19.0_0\_locales\fr
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\pt_PT

Creates executable files on the filesystem (50 out of 3782 events)

file	C:\Users\test22\Documents\HOGmAMDANZnxIS4lGc3upJEm.exe
file	C:\Users\test22\Documents\bqvKADEDA8tOHRj85nhTbqxE.exe
file	C:\Users\test22\Documents\tXPPcJstVV4xCsh8inDOTxzE.exe
file	C:\Users\test22\Documents\CJTLtVrY9pl2vg6JdqcBVgpr.exe
file	C:\Users\test22\Documents\A1UCk79NXlI1MxlnlV5l2sWm.exe
file	C:\Users\test22\Documents\SYmVezGpRuvx7olCcsErg6lA.exe
file	C:\Users\test22\Documents\xocDuXDs99iMTiElHM0rXry0.exe
file	C:\Users\test22\Documents\05nPlc3zLWJg84zqghsOI23p.exe
file	C:\Users\test22\Documents\DRYfmb99nDMQV4ipkY6oUBAY.exe
file	C:\Users\test22\Documents\KLgHLVaBSv11GPbvcyL3XBGY.exe
file	C:\Users\test22\Documents\WpBTjeDynjXAJ0BoDDmTunJc.exe
file	C:\Users\test22\Documents\dodbcFSneVmSJfeLIPGHFaUm.exe
file	C:\Users\test22\Documents\a9V0EBg9pEG87dLfeUADE4Cr.exe
file	C:\Users\test22\Documents\rDV4bWrShuAEmB0QOe1YZ3Fx.exe
file	C:\Users\test22\Documents\5xFv04qroScZuxTgNzNTD4WK.exe
file	C:\Users\test22\Documents\t6Sg9HLaQkwK0MmYJG3SY9mG.exe
file	C:\Users\test22\Documents\ku5vAJFa9k47IjO7GGeR9w2O.exe
file	C:\Users\test22\Documents\KxpAoY4H4KDl2hbPVfLpm2BG.exe
file	C:\Users\test22\Documents\RWypmf2DGbs1knu7w0eDqq2Q.exe
file	C:\Users\test22\Documents\Md6SChfIv3WZZvyKED6rBLgC.exe
file	C:\Users\test22\Documents\3Xqq4P1ULYeboOLDr0coFXmY.exe
file	C:\Users\test22\Documents\IlwlEmLTKmKwc68XuY6VxG0j.exe
file	C:\Users\test22\Documents\I00kFDhCw0eMafub4SyUWxa0.exe
file	C:\Users\test22\Documents\HEZE5HVhq4bKHgasDGZUP5mn.exe
file	C:\Users\test22\Documents\xG5hB5hhI3T9NRTYLrxLZGNn.exe
file	C:\Users\test22\Documents\AVDdjDDlDZDCCscboK23FUEW.exe
file	C:\Users\test22\Documents\xQD3xesCKONxAjvMfmziEDTP.exe
file	C:\Users\test22\Documents\MIIheAfhzgQPTEmTBx9DHdC7.exe
file	C:\Users\test22\Documents\S4UOlxJhnwqiOB2gPqrd0chI.exe
file	C:\Users\test22\Documents\vI23JALhtFIqyifcOMZGyxZT.exe
file	C:\Users\test22\Documents\R9uuJLpPq7Xyu1NuwWaNiiUH.exe
file	C:\Users\test22\Documents\4y7sO7xj2ZadLzWGxlOrQrx7.exe
file	C:\Users\test22\Documents\Rp805Cl9Me41mMVdaqX8f4TB.exe
file	C:\Users\test22\Documents\s6bwaEj5DFvxNeY2vr6EtoPq.exe
file	C:\Users\test22\Documents\7lUQCLfxlGujJNIDCL8L3AbP.exe
file	C:\Users\test22\Documents\qViR5JVjOPFDqT82hGOGrBe8.exe
file	C:\Users\test22\Documents\nF75FOpAJmdS2FftDUaXVZoU.exe
file	C:\Users\test22\Documents\YhazMZMB7V4d4wu23RWpgjgQ.exe
file	C:\Users\test22\Documents\bLjxH4qtH7lAe4tKtkbm3QSQ.exe
file	C:\Users\test22\Documents\ZiiTHHFqlIUwp8AINj2L9kN4.exe
file	C:\Users\test22\Documents\YgbHfJNx7w2Xuag6iUw9MIdg.exe
file	C:\Users\test22\Documents\dUEmqGpCjlvNM4CXc9F4ZnXY.exe
file	C:\Users\test22\Documents\Koi0ubOuCoixz88twLNNpfMg.exe
file	C:\Users\test22\Documents\0Kwz1mXFCCIUxEtexrQNS8gM.exe
file	C:\Users\test22\Documents\j6VjHvG0lzxl8POO7aN0ve04.exe
file	C:\Users\test22\Documents\8v3nZvQY29XbqqAyHhj1XKzM.exe
file	C:\Users\test22\Documents\LmLrqujiZQlcbrZz3DPX19K7.exe
file	C:\Users\test22\Documents\bGSPSFWWvTcy452FceGLys4N.exe
file	C:\Users\test22\Documents\ZDkCZAdKZtXez8xdnpPWbgzq.exe
file	C:\Users\test22\Documents\DVwHBBNKbzuCUOekyLgTp95N.exe

Creates hidden or system file (2 events)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile March 22, 2021, 6:39 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000004b0 filepath: C:\Program Files (x86)\E819wt4A9rSM9b.sys desired_access: 0x10100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_ALL) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Program Files (x86)\E819wt4A9rSM9b.sys create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 7 (FILE_SHARE_READ\|FILE_SHARE_WRITE\|FILE_SHARE_DELETE)	1	0	0
NtCreateFile March 22, 2021, 6:39 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000000d0 filepath: C:\Users\test22\jeNSw.sys desired_access: 0x10100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_ALL) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\jeNSw.sys create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 7 (FILE_SHARE_READ\|FILE_SHARE_WRITE\|FILE_SHARE_DELETE)	1	0	0

Creates a suspicious process (1 event)

cmdline

cmd.exe /c taskkill /f /im chrome.exe

Drops a binary and executes it (7 events)

file	C:\Users\test22\Documents\4vAYzzZecewY7zkMr7EiwgUR.exe
file	C:\Users\test22\Documents\ScKRrxLE7CjrRCRzkCjU1Fnn.exe
file	C:\Users\test22\Documents\g48buoQfafbTYKRsRvLFhkSV.exe
file	C:\Users\test22\Documents\8TQPHIQ9bFjdlAY5aKlWh2Xb.exe
file	C:\Users\test22\Documents\8qwycjgOGj3uIj9CDxTRd249.exe
file	C:\Users\test22\Documents\R9dJ2GRjtUDM4kOUAhgCSabA.exe
file	C:\Users\test22\Documents\fjog8iMALo8SHlwDwsItN6oy.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\4DD3.tmp
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\recovery\101.3.34.11\ChromeRecovery.exe

Executes one or more WMI queries (2 events)

wmi	SELECT Caption FROM Win32_OperatingSystem
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW March 22, 2021, 6:39 p.m.	thread_identifier: 3496 thread_handle: 0x000004e0 process_identifier: 1240 current_directory: filepath: track: 1 command_line: xcopy "C:\Users\test22\AppData\Local\Google\Chrome\User Data" "C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\" /s /e /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000538	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses March 22, 2021, 6:38 p.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process cvi5v4hgahjkjbo4qafks3sd.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
recv March 22, 2021, 6:38 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $¦^Râï0âï0âï0ü½´æï0ë¥ôï0ë£ñï0âï1ï0ë³iï0ë´Þï0ë¤ãï0ë¡ãï0Richâï0PELI\|ªKà &¼É@@àh¢Á µÈ(øÆxpD° @@ü.texts$& `.rdata¢@*@@.dataH4Ð¶@À.rsrc(øúÌ@@.text0ÅOÆOÆÀéÌÌÌÌÌÌÌÌÌÌÌQD$VhDCPjÿ¼@Cðöu2À^YÃWVjÿÀ@CVjøÿ0ACWðÿøACL$hDCQT$Røè D$ÄÀu_2À^YÃPVjWèD$Pè§Ä_°^YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌQVhÀDCh¤DCÇD$ÿXBCPÿ`BCðötD$Pÿ¸@CPÿÖD$^YÃÌÌÌÌìt¡°ÑC3Ä$pj<D$ jPÇD$ DÇD$$è®Ä3ÀhL$\QPÇD$D$D$D$ÿ4BCÀu2À$p3Ìè[ÄtÃVT$\R$phPèÍL$hj.Qè3ÒhüDCfD$thPè+L$\|QhàDCèmþÿÿÄ(À58BCT$\RÿÖøÿuph$hPhÐDCÿ<BCL$\j\Qè¨P$phRèÈ$xPL$thQè.T$\|RhàDCèóýÿÿÄ(ÀuD$\PÿÖøÿt:L$QT$Rjjjjjjÿ@BCP$PÿDBCÀu#L$\QÿHBC2À^$p3Ìè0ÄtÃT$jÿRÿPBCL$D$PQÿLBCT$5TBCRÿÖD$PÿÖL$\QÿHBC$t^3Ì°èÜÄtÃÌÌÌÌÌÌÌÌÌÌéUÌÌÌÌÌÌÌÌÌÌÌÁ;ÁsÈÿÃL$3ÀÃÌÌÌÌÌÌÌÌÌÌÌÌÌ÷d$Òwrøÿw3ÀÃÈÿÃÌÌÌÌÌÌÌÌVW\|$ñWÇFÇFÿBCÀuÿt hè_Æ^ÂÌÌÌÌÌÌÌÌVqVÿ0BC^ÃÌÁÃÌÌÌÌÌÌÌÌÌÌÌÌÌÀtPÿBCÃ3ÀÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌéÆÌÌÌÌÌÌÌÌÌÌÌVñÀtPÿBCvöt VèÄ^ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌD$ÃÌÌÌÌÌÌÌÌÌÌÌÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌD$T$ ÃÌÌÌD$P@Éuù+ÂÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌD$L$T$Vt$PQRVèÄÆ^ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌD$L$T$Vt$PQRVèÞÄÆ^ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÁL$ÂÌÌÌÌÌÃÌÌÌÌÌÌÌÌÌÌÌÌÌÁÃÌÌÌÌÌÌÌÌÌÌÌÌÌÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÁÇÃÌÌÌÌÌÌÌD$ÂÌÌÌÌÌÀtÃ3ÀÃÌÌÌÌT$3É;ÁÁÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌ3À9ÀÃÌÌÌÌÌÌÌÌVD$PñèÇ ECÆ^ÂÌÌÌÌÌÌÌÇ ECéÌÌÌÌÌVñÇ ECèöD$t VèÙÄÆ^ÂÌÌÌÌÌÌÌÌÌÌÌÌ¶D$¶T$Vñ¶L$ÁàÁÁàÂPÿ@CFÆ^ÂÌÌAPÿ@CÃÌÌÌÌÌVñVÿ,BCÆ^ÃÌÌQÿ(BCÃÌÌÌÌÌÌÌÌQÿ$BCÃÌÌÌÌÌÌÌÌQÿ BCÃÌÌÌÌÌÌÌÌD$=!À/t'= Àt=Àt =Àu#¸8FCÃ¸øECÃ¸ÄECÃ¸ECÃ=#Àt#ÀtPh\|ECh<æCèúÄ¸<æCÃ¸\ECÃ¸(ECÃÌÌÌÌÌÌ¡\æCÀu hxFChdFCÿBCPÿ`BC£\æCÀtL$QÿÐÃD$ÃÌÌÌÌÌÌÌÌÌÌìt¡°ÑC3Ä$pS$UV´$W¼$hLD$jPÇD$èªÄL$QVÿBCPÿBCT$,jjjRèL$03íÁÕÿÕ¬Ð PSVÁê $lhFCRè received: 2920 socket: 2220	1	2920	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (39 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeTrustedCredManAccessPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeTrustedCredManAccessPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:39 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (14 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (8 events)

Time & API	Arguments	Status	Return
RegOpenKeyExW March 22, 2021, 6:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\adblocker base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\adblocker		2
RegOpenKeyExW March 22, 2021, 6:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome		2
RegOpenKeyExW March 22, 2021, 6:39 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome		2
RegOpenKeyExW March 22, 2021, 6:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000004ac options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExW March 22, 2021, 6:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000004ac options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExW March 22, 2021, 6:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome		2
RegOpenKeyExW March 22, 2021, 6:39 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome		2
RegOpenKeyExW March 22, 2021, 6:39 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000004e0 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0

Uses Windows utilities for basic Windows functionality (7 events)

cmdline	cmd.exe /c taskkill /f /im chrome.exe
cmdline	taskkill /f /im chrome.exe
cmdline	C:\Users\test22\Documents\46Ox7KjWEjGeYBlPa54R2Dir.exe
cmdline	C:\Users\test22\Documents\opbxum1Uei5Q8Le8UFdeDOSc.exe
cmdline	C:\Users\test22\Documents\I0irPLnGAexs5gpMZYOJCwSC.exe
cmdline	C:\Users\test22\Documents\U6z5hV9kkxQp1DfyGYFpf1sc.exe
cmdline	C:\Users\test22\Documents\KuFin9LNme4M605oEDOoAAAt.exe

Communicates with host for which no DNS query was performed (3 events)

host	103.124.106.203
host	172.217.25.14
host	188.93.233.223

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 6688 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0	0
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 1432 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0	0

Attempts to identify installed AV products by registry key (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\msCurSQ3ykJOCOtr4ZsRYuLSXI2ZwcTR

Installs itself for autorun at Windows startup (50 out of 3749 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\HtGaMJh0Qom33zaFPd812ID6RCNRQNvX	reg_value	C:\Users\test22\Documents\4vAYzzZecewY7zkMr7EiwgUR.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sVtS4dz7TRYjzIXrWFb8NITNmCG2ic96	reg_value	C:\Users\test22\Documents\asRFt8RT75ITMqT1h8TShcY9.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ZhbjfRIYYf1Q5wbDSNk4SvYkCgp2X7Z1	reg_value	C:\Users\test22\Documents\qJJJ5PjC2OdKiUWQLp469ttl.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\J0g9mQBaFA8dmJWeBg6QMqSAO0RUYF9N	reg_value	C:\Users\test22\Documents\ScKRrxLE7CjrRCRzkCjU1Fnn.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Z6m4GF4XE3XOX7v5EmrgS47f7RCcST05	reg_value	C:\Users\test22\Documents\ygI0QLcrBImRDyNapFSUIXac.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\lnByBVZVkDOexCVUAPA42wCe8G7zCbFu	reg_value	C:\Users\test22\Documents\hgvv8qC9AupFAgNzEPOEDB6Z.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Dbnt573tNW5Opcr46scCS5Dzlhz4XjSJ	reg_value	C:\Users\test22\Documents\n0oSwoEaFqSuaqsUFmRSJHZJ.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\8ebWZlYDWRrf1xzgZD3T9CcHYyIYH9Wn	reg_value	C:\Users\test22\Documents\1dQ3IWYgjVIIBuNVqOAUOdYX.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\DwQLAVfUUZqBOh7xsSfTq9J5BU8lcA5X	reg_value	C:\Users\test22\Documents\g48buoQfafbTYKRsRvLFhkSV.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\mUJqX42TdTGLF3PEwcvH9jjlaHuHUH32	reg_value	C:\Users\test22\Documents\4DcEhngDii9jWa300VqydC7E.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\viPQJv9WZNFraCk5wHbUdfQsVxBsE2lP	reg_value	C:\Users\test22\Documents\FXcNe0poqpGDUrv7FlCBQzFC.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rg4VtRRhm0ZAkoUXlgou2KGSQ7r7nb1h	reg_value	C:\Users\test22\Documents\Sab5lZf5ptnGmDgDBGOJYuiP.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ZmEwjT4K82IYAQ2cVPSwqUoufUMv39aD	reg_value	C:\Users\test22\Documents\1MoEeJLYbFevngcWv1h2GyXG.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\vxH0JLPDCyyUTiplQbsIf32DyiKZtwhz	reg_value	C:\Users\test22\Documents\zho2EZyHLTxvXDVf9Fh1gkaE.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\rlaV8DhF6yQbWbh2iVWBGnx1LjTuiG8G	reg_value	C:\Users\test22\Documents\8TQPHIQ9bFjdlAY5aKlWh2Xb.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\0JpjUqsXFT8Szdhm3reGYzl24DCkB0TP	reg_value	C:\Users\test22\Documents\8qwycjgOGj3uIj9CDxTRd249.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\iwoQnIWP9sB09Yuwa4XDwY8TzsjdTR70	reg_value	C:\Users\test22\Documents\R9dJ2GRjtUDM4kOUAhgCSabA.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\yVa5i25svKSgwoUY7wE8MwtbW6qjpjyK	reg_value	C:\Users\test22\Documents\hdlFbB6l8xMLjYVmxumYCXOJ.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\l9ilLWCMVHQUYOx6u8GrVUVgGiJbIi29	reg_value	C:\Users\test22\Documents\PcQGkBCG2eaZGz0IZNaPSP7C.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\oCfmNlDwPRzJtLeTDlPHQW7ly8BpDi0O	reg_value	C:\Users\test22\Documents\eOelca4fbOE8iftLadfTIPqR.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\E4xOjYtrakmgOEYvTZ68nq5Ohxq1RTO8	reg_value	C:\Users\test22\Documents\hN7Z5SS0LRtRpkbO8MQhAjBR.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\8irwr2ZHWoTitWQPIJbly0QmxwCwEoUK	reg_value	C:\Users\test22\Documents\MpVBeDQwhC1E7493yfOknCoY.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SE84znCrTJhwUV3oDw8EH7BWmlhGM0j7	reg_value	C:\Users\test22\Documents\B7C5WeFpmusTkbKbO8bekDjI.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ClRNF5fdkjYZrlI269VG7kcPeoAZZu32	reg_value	C:\Users\test22\Documents\X4nSfKz9sAAb3XG3FxayEfAU.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ICsa5GEzqgfZVO9UFjlatIQydgu12xsA	reg_value	C:\Users\test22\Documents\4SP43l3wfg1U8qLeoi2FJ3Xc.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\w47ZVN62yfdidJbmsM8rdynqXUSUxIt8	reg_value	C:\Users\test22\Documents\5xv02c1YcBobKwIZih9kR6sA.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RQBA4mEpwfesEdHQJtnrL7YxY3OaQnAD	reg_value	C:\Users\test22\Documents\EuE8fcDOEwnpSk6ZGX1F7Ag7.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\2OmAYoZIeae7x3zHZK9NDlrLjlKprwpZ	reg_value	C:\Users\test22\Documents\OHqOaCUcr73wGNUmPl5NXywU.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\hbbwduaruEmchnrFG6pRTBbMwy338ckw	reg_value	C:\Users\test22\Documents\UVVLaTEDivSptWzWvyyNziRQ.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\9P9o0htSezYc9sMyW16tHwbZAvvOVr3D	reg_value	C:\Users\test22\Documents\DFo92RkyVk4ouXyIHtG22A6f.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xjoFve6w6UUzskga4H3fmhaolVsDL294	reg_value	C:\Users\test22\Documents\IJ9mS57y0mK49VJZgSgBDNYM.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\JAeZw2lDUZE4uxKCFhzOjvnSowRFvDk1	reg_value	C:\Users\test22\Documents\uxzsQ1CVpX8oBTr6vFH6U3jQ.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\XLv9kgSQyMrLO4pc7CcobBE2kTKqNxy2	reg_value	C:\Users\test22\Documents\NijQXmjxw4UlOwL85E0wDUqX.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\H3YRWlDAYyTCBdkY0NCWNCxljJRy9xAz	reg_value	C:\Users\test22\Documents\2L2L1jMPmExBF9tAZYyB2C6W.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\FxrNUOBlyexeYlN5TCVbag52JVAimVzp	reg_value	C:\Users\test22\Documents\PgE8K43ABwmQpr95yaKp9jIE.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\1zD9Od8doIGYs0snWjqYEt9oyxVW92br	reg_value	C:\Users\test22\Documents\YA2XNqpwuBcL3ehMNPV7Oroj.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\0YLbHmdvrZCZVU9rBZWFMOQpT8zRRwqG	reg_value	C:\Users\test22\Documents\WTfXnphRC8huYIdWhskoAPeI.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\HgHJwMe5s5k7wvM5Q5kaLRiO7miXIGMZ	reg_value	C:\Users\test22\Documents\yXhOeGJafvD8GEBNs3nk3Y6l.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\73MKnGwmsKg0oO7QRRIDBXu3MlrbvPl5	reg_value	C:\Users\test22\Documents\b5H78AnTRHQKeDa7qrU7yfaz.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\IS8BZV0dilVWO2cyl7sX5aWmSPqrjEiI	reg_value	C:\Users\test22\Documents\fRAFxdpLVnbTgjTbuEphXWyk.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\6VtKpJ4eDM4y57S7Ltk7paZWCxFrIIeB	reg_value	C:\Users\test22\Documents\ca6efow9x7v5N6N2l15Zoaor.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\6WI1ENV4s2DqZICjY64ZiYUn0aIJ3jLF	reg_value	C:\Users\test22\Documents\vOiK5mUnDQ2ACY7oi8O50qCf.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\CeAnFLBJr7eW4dF5XFelFKSkLsNOCRUj	reg_value	C:\Users\test22\Documents\MCNidcjz47SJVQPa6pg3vn7h.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MacX8wGZn5RO7FdbVvp7s4ySMuobvoas	reg_value	C:\Users\test22\Documents\Epf9c5us6IcXv2fckkgpIWb1.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\lJKNHoo9fiATSb77Bf4pK7r5QKUqTCBt	reg_value	C:\Users\test22\Documents\OoxCdXuJCCu0kQeeHEUXqeJR.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\bO77U8qcgRywAnuedhSZmppE7oi5q0IB	reg_value	C:\Users\test22\Documents\ffaUMgBXXuVBQLMqHXWLkdHn.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\j29qZuwqIwXNuw4Zf3VuKrrh8FTxIG0q	reg_value	C:\Users\test22\Documents\Yw27jDCYE2f8WZpdm2rCKrBv.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\KbsUb8iC5rcoYOVJ3BoW1HfgVd00ijTe	reg_value	C:\Users\test22\Documents\vGYqEW9TGyzkCctz7ShRWRl1.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\5M87IsdWX7I1stfPIgGEdLfQCH3KL81Q	reg_value	C:\Users\test22\Documents\fgfmno2HQxoUAFbt6YXVmOAD.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\qs5BySKYF2UQDEjNhhuLNdTcGqRDwvHk	reg_value	C:\Users\test22\Documents\gcqbp59iUR7C6kAM2IMGI6ju.exe

Loads a driver (6 events)

Time & API	Arguments	Return
NtLoadDriver March 22, 2021, 6:39 p.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\918zi26943Nk	3221225473
NtLoadDriver March 22, 2021, 6:39 p.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\R10eY4jCs68	3221225473
NtLoadDriver March 22, 2021, 6:39 p.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\NOS4s5pQ77RW9y	3221225473
NtLoadDriver March 22, 2021, 6:39 p.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\3Z16frbb	3221225473
NtLoadDriver March 22, 2021, 6:39 p.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\hMfA4	3221225473
NtLoadDriver March 22, 2021, 6:39 p.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\RCKFsD2c2QXG8h6	3221225473

Creates known Hupigon files, registry keys and/or mutexes (1 event)

file	C:\Users\test22\Documents\Fomp1MNqT1qoOalppNOTVqqq.exe

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 22, 2021, 6:39 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 6688 process_handle: 0x00000080	1	1	0
WriteProcessMemory March 22, 2021, 6:39 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1432 process_handle: 0x00000080	1	1	0

Network activity contains more than one unique useragent (2 events)

process	n0oSwoEaFqSuaqsUFmRSJHZJ.exe				useragent	Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36
process	1dQ3IWYgjVIIBuNVqOAUOdYX.exe				useragent	Mozilla/4.0 (compatible; MSIE 4.0; Windows Phone OS 4.0; Trident/4.0; IEMobile/4.0; HTC; Titan)

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 7012 called NtSetContextThread to modify thread in remote process 6688
Process injection	Process 7932 called NtSetContextThread to modify thread in remote process 1432
NtSetContextThread March 22, 2021, 6:39 p.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4205112 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 6688	1	0	0
NtSetContextThread March 22, 2021, 6:39 p.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4205112 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 1432	1	0	0

One or more non-whitelisted processes were created (2 events)

parent_process	chrome.exe				martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\test22\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\test22\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb8,0xbc,0xc0,0x8c,0xc4,0x7fef23a6e00,0x7fef23a6e10,0x7fef23a6e20
parent_process	chrome.exe				martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1016,16274414662301426042,6720071362444547471,131072 --user-data-dir="C:\Users\test22\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1032 /prefetch:2

Resumed a suspended thread in a remote process potentially indicative of process injection (26 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 7012 resumed a thread in remote process 6688
Process injection	Process 7932 resumed a thread in remote process 1432
Process injection	Process 8164 resumed a thread in remote process 3568
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 6688	1	0	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 1432	1	0	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 3568	1	0	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 3568	1	0	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 3568	1	0	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 3568	1	0	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 3568	1	0	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 3568	1	0	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 3568	1	0	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 3568	1	0	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 3568	1	0	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 3568	1	0	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 3568	1	0	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 3568	1	0	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 3568	1	0	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 3568	1	0	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 3568	1	0	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 3568	1	0	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 3568	1	0	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 3568	1	0	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 3568	1	0	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 3568	1	0	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x0000000000000150 suspend_count: 2 process_identifier: 3568	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (7 events)

cmdline	C:\Users\test22\Documents\5iFzEI3Eo5tXP9slEDOf3rRU.exe
cmdline	C:\Users\test22\Documents\5Oc9GRVHpSSRzF2RAhl0d5ru.exe
cmdline	C:\Users\test22\Documents\2TjYXdSVrRztFP90PoUR6EdU.exe
cmdline	C:\Users\test22\Documents\NolwaFB373yuaNXE8pgtlkRU.exe
cmdline	C:\Users\test22\Documents\YNpUyLAs5kiDZI6nX13KUyDu.exe
cmdline	C:\Users\test22\Documents\RHpE7X4zW5IrXs6pWluMmSDu.exe
cmdline	C:\Users\test22\Documents\M42V6rP3F82KispFxUL0XmDu.exe

Generates some ICMP traffic

Drops 230 unknown file mime types indicative of ransomware writing encrypted files back to disk (50 out of 98 events)

file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Extension Rules\000003.log
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Safe Browsing\UrlCsdWhitelist.store
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Crashpad\reports\7c059300-445b-4692-a9d7-f2e0e94a3dab.dmp
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\GrShaderCache\GPUCache\data_1
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Cache\data_2
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Code Cache\js\68e04385ceb6b243_0
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Cache\f_000008
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\shared_proto_db\metadata\000003.log
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Service Worker\CacheStorage\28da9c56fde4021055a681112c092453f74d8dd8\86db32f4-11be-40e4-83e8-b602b85321c3\c3d5cfb6a1cf033d_0
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\GrShaderCache\GPUCache\index
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Local Storage\leveldb\000003.ldb
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Subresource Filter\Indexed Rules\27\9.18.0\Ruleset Data
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\SafetyTips\2496\safety_tips.pb
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Code Cache\js\769de8625d12ef97_0
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\TLSDeprecationConfig\3\tls_deprecation_config.pb
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Service Worker\CacheStorage\28da9c56fde4021055a681112c092453f74d8dd8\86db32f4-11be-40e4-83e8-b602b85321c3\3fa8afa46bc28533_1
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Code Cache\js\c5b4e0167b0e167e_0
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\IndexedDB\https_www.google.com_0.indexeddb.leveldb\MANIFEST-000001
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_2
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Code Cache\js\ee1fd96d3c7a6bbf_0
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Module Info Cache
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\FontLookupTableCache\font_unique_name_table.pb
file	c:\users\test22\appdata\local\temp\cghjgasaaz99\crashpadmetrics.pma
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\index
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Code Cache\js\3f5c8c831020c0ab_0
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Code Cache\js\7b942c6b7304d5b2_0
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Cache\f_00000b
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\PnaclTranslationCache\index
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Service Worker\ScriptCache\653e56b4b6556a9e_1
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Service Worker\CacheStorage\28da9c56fde4021055a681112c092453f74d8dd8\index.txt
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_3
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\BrowserMetrics\BrowserMetrics-5F9FEA6D-37C.pma
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Sync Data\LevelDB\000003.log
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Sessions\Session_13248789357672558
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Service Worker\ScriptCache\653e56b4b6556a9e_0
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\History Provider Cache
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Session Storage\000003.log
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Site Characteristics Database\000003.log
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\ThirdPartyModuleList64\2018.8.8.0\module_list_proto
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Local Storage\leveldb\000010.log
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Service Worker\CacheStorage\28da9c56fde4021055a681112c092453f74d8dd8\86db32f4-11be-40e4-83e8-b602b85321c3\f91ed68f38846db8_0
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Safe Browsing\UrlSubresourceFilter.store
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Code Cache\js\5991f2397acd26b1_0
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Safe Browsing\UrlMalBin.store
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Safe Browsing\CertCsdDownloadWhitelist.store
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Code Cache\js\bfdbf1921d846a2f_0
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Translate Ranker Model
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Cache\f_000002
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Sessions\Tabs_13248789357733302
file	C:\Users\test22\AppData\Local\Temp\cghjgasaaz99\Default\Service Worker\Database\000003.log

Executed a process and injected code into it, probably while unpacking (50 out of 7575 events)

Time & API	Arguments	Status	Return
NtResumeThread March 22, 2021, 6:38 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread March 22, 2021, 6:38 p.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread March 22, 2021, 6:38 p.m.	thread_handle: 0x0000019c suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread March 22, 2021, 6:38 p.m.	thread_handle: 0x00000344 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread March 22, 2021, 6:38 p.m.	thread_handle: 0x000005a4 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread March 22, 2021, 6:38 p.m.	thread_handle: 0x000005b4 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread March 22, 2021, 6:38 p.m.	thread_handle: 0x000005c8 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread March 22, 2021, 6:38 p.m.	thread_handle: 0x000005ec suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread March 22, 2021, 6:38 p.m.	thread_handle: 0x000005fc suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread March 22, 2021, 6:38 p.m.	thread_handle: 0x00000628 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread March 22, 2021, 6:38 p.m.	thread_handle: 0x0000065c suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread March 22, 2021, 6:38 p.m.	thread_handle: 0x0000067c suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread March 22, 2021, 6:38 p.m.	thread_handle: 0x000006a0 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread March 22, 2021, 6:38 p.m.	thread_handle: 0x000006e0 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread March 22, 2021, 6:38 p.m.	thread_handle: 0x000006fc suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread March 22, 2021, 6:38 p.m.	thread_handle: 0x00000770 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread March 22, 2021, 6:38 p.m.	thread_handle: 0x00000804 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread March 22, 2021, 6:38 p.m.	thread_handle: 0x00000898 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread March 22, 2021, 6:38 p.m.	thread_handle: 0x0000076c suspend_count: 1 process_identifier: 2952	1	0
CreateProcessInternalW March 22, 2021, 6:38 p.m.	thread_identifier: 6568 thread_handle: 0x0000077c process_identifier: 668 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\4vAYzzZecewY7zkMr7EiwgUR.exe track: 1 command_line: "C:\Users\test22\Documents\4vAYzzZecewY7zkMr7EiwgUR.exe" filepath_r: C:\Users\test22\Documents\4vAYzzZecewY7zkMr7EiwgUR.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000860	1	1
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000898 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x000008a4 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x000008e4 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000880 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x0000075c suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000604 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x000008d4 suspend_count: 1 process_identifier: 2952	1	0
CreateProcessInternalW March 22, 2021, 6:39 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\asRFt8RT75ITMqT1h8TShcY9.exe track: 0 command_line: "C:\Users\test22\Documents\asRFt8RT75ITMqT1h8TShcY9.exe" filepath_r: C:\Users\test22\Documents\asRFt8RT75ITMqT1h8TShcY9.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x000007e8 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000938 suspend_count: 1 process_identifier: 2952	1	0
CreateProcessInternalW March 22, 2021, 6:39 p.m.	thread_identifier: 3320 thread_handle: 0x0000077c process_identifier: 5860 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\qJJJ5PjC2OdKiUWQLp469ttl.exe track: 1 command_line: "C:\Users\test22\Documents\qJJJ5PjC2OdKiUWQLp469ttl.exe" filepath_r: C:\Users\test22\Documents\qJJJ5PjC2OdKiUWQLp469ttl.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000874	1	1
CreateProcessInternalW March 22, 2021, 6:39 p.m.	thread_identifier: 3684 thread_handle: 0x00000924 process_identifier: 7012 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\ScKRrxLE7CjrRCRzkCjU1Fnn.exe track: 1 command_line: "C:\Users\test22\Documents\ScKRrxLE7CjrRCRzkCjU1Fnn.exe" filepath_r: C:\Users\test22\Documents\ScKRrxLE7CjrRCRzkCjU1Fnn.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000868	1	1
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x0000090c suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x000008c8 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x0000077c suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000950 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000964 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x000009b4 suspend_count: 1 process_identifier: 2952	1	0
CreateProcessInternalW March 22, 2021, 6:39 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\hgvv8qC9AupFAgNzEPOEDB6Z.exe track: 0 command_line: "C:\Users\test22\Documents\hgvv8qC9AupFAgNzEPOEDB6Z.exe" filepath_r: C:\Users\test22\Documents\hgvv8qC9AupFAgNzEPOEDB6Z.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW March 22, 2021, 6:39 p.m.	thread_identifier: 4900 thread_handle: 0x000009d8 process_identifier: 7932 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\4DcEhngDii9jWa300VqydC7E.exe track: 1 command_line: "C:\Users\test22\Documents\4DcEhngDii9jWa300VqydC7E.exe" filepath_r: C:\Users\test22\Documents\4DcEhngDii9jWa300VqydC7E.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000009b8	1	1
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x000009c4 suspend_count: 1 process_identifier: 2952	1	0
CreateProcessInternalW March 22, 2021, 6:39 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\FXcNe0poqpGDUrv7FlCBQzFC.exe track: 0 command_line: "C:\Users\test22\Documents\FXcNe0poqpGDUrv7FlCBQzFC.exe" filepath_r: C:\Users\test22\Documents\FXcNe0poqpGDUrv7FlCBQzFC.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x000009cc suspend_count: 1 process_identifier: 2952	1	0
CreateProcessInternalW March 22, 2021, 6:39 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\Sab5lZf5ptnGmDgDBGOJYuiP.exe track: 0 command_line: "C:\Users\test22\Documents\Sab5lZf5ptnGmDgDBGOJYuiP.exe" filepath_r: C:\Users\test22\Documents\Sab5lZf5ptnGmDgDBGOJYuiP.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x000009d8 suspend_count: 1 process_identifier: 2952	1	0
CreateProcessInternalW March 22, 2021, 6:39 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\1MoEeJLYbFevngcWv1h2GyXG.exe track: 0 command_line: "C:\Users\test22\Documents\1MoEeJLYbFevngcWv1h2GyXG.exe" filepath_r: C:\Users\test22\Documents\1MoEeJLYbFevngcWv1h2GyXG.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW March 22, 2021, 6:39 p.m.	thread_identifier: 2424 thread_handle: 0x00000a68 process_identifier: 7000 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\ygI0QLcrBImRDyNapFSUIXac.exe track: 1 command_line: "C:\Users\test22\Documents\ygI0QLcrBImRDyNapFSUIXac.exe" filepath_r: C:\Users\test22\Documents\ygI0QLcrBImRDyNapFSUIXac.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000a64	1	1
CreateProcessInternalW March 22, 2021, 6:39 p.m.	thread_identifier: 7304 thread_handle: 0x00000a70 process_identifier: 3944 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\g48buoQfafbTYKRsRvLFhkSV.exe track: 1 command_line: "C:\Users\test22\Documents\g48buoQfafbTYKRsRvLFhkSV.exe" filepath_r: C:\Users\test22\Documents\g48buoQfafbTYKRsRvLFhkSV.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000a6c	1	1
CreateProcessInternalW March 22, 2021, 6:39 p.m.	thread_identifier: 4168 thread_handle: 0x00000a78 process_identifier: 7804 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\n0oSwoEaFqSuaqsUFmRSJHZJ.exe track: 1 command_line: "C:\Users\test22\Documents\n0oSwoEaFqSuaqsUFmRSJHZJ.exe" filepath_r: C:\Users\test22\Documents\n0oSwoEaFqSuaqsUFmRSJHZJ.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000a74	1	1
CreateProcessInternalW March 22, 2021, 6:39 p.m.	thread_identifier: 4164 thread_handle: 0x00000a80 process_identifier: 3004 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\1dQ3IWYgjVIIBuNVqOAUOdYX.exe track: 1 command_line: "C:\Users\test22\Documents\1dQ3IWYgjVIIBuNVqOAUOdYX.exe" filepath_r: C:\Users\test22\Documents\1dQ3IWYgjVIIBuNVqOAUOdYX.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000a7c	1	1

Stops Windows services (6 events)

service	R10eY4jCs68 (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\R10eY4jCs68\Start)
service	hMfA4 (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hMfA4\Start)
service	NOS4s5pQ77RW9y (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NOS4s5pQ77RW9y\Start)
service	3Z16frbb (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\3Z16frbb\Start)
service	RCKFsD2c2QXG8h6 (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RCKFsD2c2QXG8h6\Start)
service	918zi26943Nk (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\918zi26943Nk\Start)

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Elastic	malicious (high confidence)
DrWeb	Trojan.Siggen12.46475
MicroWorld-eScan	Trojan.GenericKD.36540713
FireEye	Generic.mg.2151c4b970eff007
McAfee	Artemis!2151C4B970EF
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	TrojanSpy:MSIL/Stealer.23094ff5
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.fbee47
Arcabit	Trojan.Generic.D22D9129
BitDefenderTheta	Gen:NN.ZemsilF.34628.am0@aC18vXm
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:DropperX-gen [Drp]
Kaspersky	HEUR:Trojan-Spy.MSIL.Stealer.gen
BitDefender	Trojan.GenericKD.36540713
Paloalto	generic.ml
Tencent	Msil.Trojan-spy.Stealer.Hoej
Ad-Aware	Trojan.GenericKD.36540713
Emsisoft	Trojan.GenericKD.36540713 (B)
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	Artemis!Trojan
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Webroot	W32.Malware.Gen
Avira	HEUR/AGEN.1137614
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	Backdoor:Win32/Bladabindi!ml
GData	Trojan.GenericKD.36540713
Cynet	Malicious (score: 100)
ALYac	Trojan.GenericKD.36540713
MAX	malware (ai score=82)
Malwarebytes	Trojan.Downloader
ESET-NOD32	a variant of MSIL/TrojanDownloader.Small.CLF
Rising	Trojan.IPLogger!1.B69D (CLOUD)
Ikarus	Trojan-Downloader.MSIL.Small
eGambit	Unsafe.AI_Score_58%
Fortinet	MSIL/Small.CLF!tr.dldr
AVG	Win32:DropperX-gen [Drp]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_100% (W)
Qihoo-360	Win32/TrojanSpy.Generic.HgIASRIA

cVI5v4hgahjKJBO4qaFks3SD.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All